topic Re: PIX 501 NAT problem in Network Security

PIX 501 NAT problem

pglevelle — Fri, 21 Feb 2020 07:44:52 GMT

I have a 501 firewall for the past couple of years at a client site. In recent months they have a growing problem of a random users not able to connect to the Internet. Typically 1-2 users are able to connect in the morning and then the next user is unable. No pattern of specific users on a small LAN of 4-6 users. Rebooting the 501 by power cycling cures the problem for several days until it happens again. They are now frustrated at want me to solve the issue. The IOS has never been updated.

Clinet has a single public IP address and I "assume" that somehow NAT is not functioning correctly....but not sure.

Any suggestions on how to start solving?

TIA, Phil

Re: PIX 501 NAT problem

Patrick Iseli — Mon, 15 Nov 2004 18:32:28 GMT

Could you post the NATing part of your config ?

nat, globals, ip config and routes, ACL is it have ..

thanks

Patrick

Re: PIX 501 NAT problem

jczepiga — Mon, 15 Nov 2004 19:15:51 GMT

Is this a 10 user license 501? If so they may be going over the license limit. The PIX keeps track of that by the IP addresses that have gone through it. Rebooting the PIX clears the list. I ran into the same thing a few years ago. The "show local-host" command will show you how many IP's are is use. You can use the "clear local-host" command to clear out old ones. Newer software may solve the problem. Cisco's site states that these are concurrent users, but I know the older software kept the IP's longer.

How many users are at that site? Also are they on DHCP or do they have static IP's?

Re: PIX 501 NAT problem

pglevelle — Mon, 15 Nov 2004 20:00:56 GMT

Patrick,

Here is the complete listing minus the security information...when I do a sh xlate the 501 says that 17 are in use. There are only 8 possible users on this SBS 2000 based domain. Are we exceeding a limit?

Phil

PIX Version 6.1(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxx encrypted

passwd xxxxxxx encrypted

hostname pixfirewall

domain-name xxxxxx.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded

access-list 100 permit icmp any any unreachable

access-list 100 permit tcp any host xxxxx eq www

access-list 100 permit tcp any host xxxxx eq smtp

access-list 100 permit tcp any host xxxxx eq ftp

access-list 100 permit tcp any host xxxxx eq 3389

access-list 100 permit tcp any host xxxxx eq pop3

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside xxxxx 255.255.255.0

ip address inside 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.9 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.255.0 0 0

static (inside,outside) tcp xxxxx smtp 10.0.0.9 smtp netmask 255.255.255.

255 0 0

static (inside,outside) tcp xxxxx www 10.0.0.9 www netmask 255.255.255.25

5 0 0

static (inside,outside) tcp xxxxx 3389 10.0.0.9 3389 netmask 255.255.255.

255 0 0

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 xxxxx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 10.0.0.9 //xxxxx/c:/cisco_pix

no floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

dhcpd address 10.0.0.12-10.0.0.41 inside

dhcpd dns 206.26.36.34 10.0.0.9

dhcpd wins 10.0.0.9

dhcpd lease 360000

dhcpd ping_timeout 750

dhcpd domain xxxxxx.com

dhcpd enable inside

terminal width 80

Cryptochecksum:xxxxxx

pixfirewall# exit

Re: PIX 501 NAT problem

pglevelle — Mon, 15 Nov 2004 20:09:01 GMT

Yes this is a 501 with 10 user license. I did a sh xlate command before I performed the clear local-host and it said 17 users. After the clear was sent the total is now 7 users. Can be extend the license on the 501?

Phil

Re: PIX 501 NAT problem

jczepiga — Mon, 15 Nov 2004 20:21:54 GMT

You can upgrade the license, but if there are fewer than 10 devices behind the PIX, you shouldn't have to do that. The software version I saw the problem in was 6.1(1). I have other customers on 10-user PIX'es now that do not seem to be having problems. What version of the PIX software is on that PIX?

Re: PIX 501 NAT problem

pglevelle — Mon, 15 Nov 2004 20:23:48 GMT

Frogot to say that we use the dhcp on the 501 for the dynamic IP address for users. About 4 desktops are in the office all of the time and the other 4 laptops used in the field that are in the office on a random basis.

I also see that we can purchase a 50 user license for the 501 if this is the cause. I still don't understand why just 8 max users are bumping into this 10 license issue.

Phil

Re: PIX 501 NAT problem

jczepiga — Mon, 15 Nov 2004 20:37:39 GMT

If the DHCP server is giving them different IP addresses, then those new addresses will count towards the total number of IP's passing through the PIX. I'm not sure why the PIX does not time out those addresses in the older versions. If you type "show local-host" over the next few days, you should see what addresses are taking up those licenses. I would upgrade the PIX to the latest software and watch the local-host list. If the DHCP server is just handing out different IP addresses to those devices every time, you may want to increase the lease time.

Re: PIX 501 NAT problem

Patrick Iseli — Mon, 15 Nov 2004 20:39:35 GMT

Check the release notes of your FOS version, might be a bug? I think the as the hosts are dynamic the PIX counts up all the time more hosts.

Why do you not configure your DHCP to just 10 host this may solve your issue !!!

For example: FOS 6.1.3 had

BugID CSCdw25026

License not released after 30 seconds in certain scenario.

The 501 license is based on "local-host" entries. You can issue a 'sh local-host' on the PIX to see the total number of licenses the PIX has counted.

What PIX OS version are you using ?

sincerely

Patrick

Re: PIX 501 NAT problem

pglevelle — Mon, 15 Nov 2004 20:51:00 GMT

Patrick,

As shown in earlier posting to you, our 501 is running 6.1(1) FOS. I did a sh local-host after doing a clear local-host and got back 7 users.

Sounds like your suggestion is to limit the hosts to 10 instead of the range of 12-41 that is currently configured?

Thanks, Phil

Re: PIX 501 NAT problem

Patrick Iseli — Mon, 15 Nov 2004 21:11:08 GMT

Yes Phil, would be good thing to do this anyway. I does just give troubles to give more than 10 DHCP addresses in an 10 user license.

The problem is definitly a bug in the 6.1.1 code I suggest you to upgarde it to 6.3.4 this release fixed also a DOS problem in the TCP/IP code.

sincerely

Patrick

Re: PIX 501 NAT problem

pglevelle — Mon, 15 Nov 2004 21:31:33 GMT

Patrick,

Well I just made the dhcp change to restrict to 10 IP address leases for 100 hours. I looked at the release notes on 6.1(1) and did not see anything specific to my issue. I did a "sh local-host" command and there are currently 8 users. Guess that everyone is in the office today.

I've never done a update to the FOS. How much effort is involved in doing this to a 501? I see the latest version is 6.3.4.

Phil

Re: PIX 501 NAT problem

jczepiga — Mon, 15 Nov 2004 22:06:43 GMT

It's a fairly simple process. You will need a copy of the pix634.bin and PDM-302.bin (if you want to use the PIX Device Manager). Then you will need a TFTP server. From the console you will type "copy tftp://x.x.x.x/pix634.bin flash:" (where x.x.x.x is the IP address of the TFTP server. Once that is completed, you can copy the PDM with "copy tftp://x.x.x.x/pdm-302.bin flash:pdm" When both of these are completed, just type "reload".

Re: PIX 501 NAT problem

Patrick Iseli — Mon, 15 Nov 2004 22:31:06 GMT

Here are some details of this bug !!!

CSCdw25026 Bug Details

First Fixed-in Version 6.1(4), 6.1(1.104) Version

First Found-in Version 6.1(1)

Symptom:

License or host object not released after 30 seconds idle.

Conditions:

If a host retain the license longer than 30 seconds.

Workaround:

Use clear local-host

See Bug Tool:http://www.cisco.com/kobayashi/support/tac/tools.shtml

The upgarde is not really complicate you need a local TFTP server or you can download it from a Website see: Upgrading Software for the Cisco Secure PIX Firewall and PIX Device Manager

http://www.cisco.com/warp/public/110/upgrade.shtml

sincerely

Patrick

Re: PIX 501 NAT problem

pglevelle — Tue, 16 Nov 2004 15:44:48 GMT

Patrick,

Thanks to you for the clear description of the cause for the random problem accessing the Internet we see. I will update the FOS.

Phil

Re: PIX 501 NAT problem

pglevelle — Wed, 24 Nov 2004 17:41:57 GMT

Patrick,

I am now trying my best to obtain an upgrade to the FOS and PDM for this PIX 501 firewall with version 6.1(1). Very frustrated in tyring to obtain these images from Cisco. I do not have a current support contract and sales support keeps telling me to purchase a smartnet 8x5xnbd I am not impressed to be force to purchase a support on a bug caused by Cisco.

Any suggestions on how to solve this issue of support???

Phil

Re: PIX 501 NAT problem

scoclayton — Wed, 24 Nov 2004 18:43:40 GMT

Phil,

Send me an e-mail (sclayton@cisco.com) and I will see if I can help you out on this.

Scott

Re: PIX 501 NAT problem

pglevelle — Sat, 27 Nov 2004 20:46:02 GMT

Scott and others...

Thanks to all with your suggestions. Finally got TAC to allow me to download the binaries for the latest FOS and PDM. Installed them to the PIX 501 yesterday and they seemed to be working fine. Will only know if the max licensed host limit issue is fixed in the coming week. Now am trying to configure the VPN so that owner can work from home on client proposals.